From 0c5a9b5f44a881c7e771382a24392e444ace30df Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Wed, 17 Jun 2026 13:52:52 +0000 Subject: [PATCH] k8s-version-upgrade: grant pods/log so preflight can verify the etcd snapshot MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Preflight step 6 confirms the pre-upgrade etcd snapshot is non-empty by parsing the backup Job's log (`kubectl -n default logs job/pre-upgrade-etcd-...`). The k8s-upgrade-job ClusterRole granted `pods` get/list/delete but NOT the `pods/log` subresource, so the read failed with Forbidden in the default ns and aborted preflight — after step 5 had already set k8s_upgrade_in_flight=1. A stale out-of-band grant had masked this until a `terragrunt apply` in this session reconciled the role back to its TF definition. Codify pods/log:get. Co-Authored-By: Claude Opus 4.8 --- stacks/k8s-version-upgrade/main.tf | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/stacks/k8s-version-upgrade/main.tf b/stacks/k8s-version-upgrade/main.tf index e036ef91..58c8059b 100644 --- a/stacks/k8s-version-upgrade/main.tf +++ b/stacks/k8s-version-upgrade/main.tf @@ -162,6 +162,17 @@ resource "kubernetes_cluster_role" "k8s_upgrade_job" { resources = ["pods"] verbs = ["get", "list", "delete"] } + # Read the etcd-snapshot Job's pod logs — preflight verifies the snapshot + # size by parsing the backup Job's log (`kubectl logs job/...`). `pods/log` + # is a SEPARATE subresource not covered by the `pods` rule above. Missing + # this grant aborts preflight step 6 with a Forbidden on pods/log in the + # `default` ns (2026-06-17 — surfaced after a stale out-of-band grant was + # reconciled away by `terragrunt apply`). + rule { + api_groups = [""] + resources = ["pods/log"] + verbs = ["get"] + } # Read PDBs to find drain-blocking pods rule { api_groups = ["policy"]